Many headlines warn eCommerce businesses about the dangers of cyber threats such as phishing scams and hackers. It makes sense that online retail is a popular target, since a digital payload of credit card data can be lucrative for ne’er-do-wells. However, Channelnomics columnist Stefanie Hoffman recently highlighted a disturbing trend – hospitals and other healthcare providers have also become a common target for cyber criminals.Just how common? According to the Privacy Rights Clearinghouse research that Hoffman cited, healthcare has outpaced retail in terms of total number of data breach incidents in 2005. There is a silver lining, though. Cyber criminals only got away with 1.3 million patient health records, compared with the 104 million compromised financial records caused by retail incidents. Stringent regulations such as those outlined by Health Insurance Portability and Accountability Act (HIPAA) in the United States help build a thicker barrier between hospitals and cyber criminals. The only catch is that a healthcare data security breach can be much more disastrous than a payment card information leak.
“Healthcare data is highly protected, making it less accessible, more scarce and, thus, more valuable,” Hoffman wrote. “And that doesn’t even take into account the shelf life. A person can cancel their credit card and apply for a new one in a matter of minutes. Changing personalized healthcare data, which requires reams of paperwork and endless haggling with medical personnel, takes a lot longer than that.”
Layered security for healthcare
The nature of healthcare data has created a new enterprise for cyber criminals. Hospitals and other organizations should respond by ensuring the security of patient data. Security education for all healthcare workers can protect against threats such as social engineering, but technology solutions can further protect digital assets.
As Hoffman pointed out, threats are constantly evolving and may require organizations to form long-term partnerships with security vendors. Consulting services to help organizations respond to new trends and identify technologies that can help ensure regulatory compliance may be necessary as cyber security becomes more complex. Hoffman also identified several critical security features healthcare professionals should begin to utilize, including:
• Mobile device management
• Keeping firewalls up to date
Patient data exposed
An incident in July at an Indiana Cancer Care Group highlighted the impact of a single healthcare data breach. After a laptop bag had been stolen, an investigation revealed the data of close to 55,000 patients had been compromised. The device stored the group’s server backup media, which contained patient and employee information such as name, address, date of birth, social security number and medical records.
“There is no evidence to believe that the back-up media were the target of the theft or that any of the information on the media has been accessed or used for fraudulent purposes,” the Cancer Group explained. “Cancer Care Group assures its patients and employees that it took immediate steps to investigate and attempt to recover the back-up media. A police report was filed and patients and employees are being notified. Unfortunately, the back-up media have not yet been recovered.”
In response to the incident, Cancer Care Group said it would heighten security practices by requiring that all data stored on portable devices be encrypted. In addition, the organizations plans to institute a re-education program designed to increase data security awareness, and update its digital storage policies and procedures.
Are most healthcare organizations doing enough to protect patient data? Should regulations be more stringent?